Configure Project Quay

Getting started with Project Quay configuration

Project Quay can be deployed by an independent, standalone configuration, or by using the OpenShift Container Platform Project Quay Operator.

How you create, retrieve, update, and validate the Project Quay configuration varies depending on the type of deployment you are using. However, the core configuration options are the same for either deployment type. Core configuration can be set by one of the following options:

Directly, by editing the config.yaml file. See "Editing the configuration file" for more information.
Programmatically, by using the configuration API. See "Using the configuration API" for more information.
Visually, by using the configuration tool UI. See "Using the configuration tool" for more information.

For standalone deployments of Project Quay, you must supply the minimum required configuration parameters before the registry can be started. The minimum requirements to start a Project Quay registry can be found in the "Retrieving the current configuration" section.

If you install Project Quay on OpenShift Container Platform using the Project Quay Operator, you do not need to supply configuration parameters because the Project Quay Operator supplies default information to deploy the registry.

After you have deployed Project Quay with the desired configuration, you should retrieve, and save, the full configuration from your deployment. The full configuration contains additional generated values that you might need when restarting or upgrading your system.

Project Quay configuration disclaimer

With both standalone and Operator-based deployments of Project Quay certain features and configuration parameters are not actively used or implemented. As a result, feature flags, such as those that enable or disable certain features, and configuration parameters that are not explicitly documented or requested for documentation by Red Hat Support, should only be modified with caution. Unused features or parameters might not be fully tested, supported, or compatible with Project Quay. Modifying unused features parameters might lead to unexpected issues or disruptions with your deployment.

For information about configuring Project Quay in standalone deployments, see Advanced Project Quay configuration

For information about configuring Project Quay Operator deployments, see Configuring Project Quay on OpenShift Container Platform

Configuration updates for Project Quay 3.10

The following sections detail new configuration fields added in Project Quay 3.10.

Namespace auto-pruning configuration fields

With Project Quay 3.10, deployments can be configured to automatically prune old image tags by a specified, allotted amount, or by the time in which they were created.

Table 1. Namespace auto-pruning configuration field
Field	Type	Description
FEATURE_AUTO_PRUNE	Boolean	When set to `True`, enables functionality related to the auto-pruning of tags. Default: `False`
SECURITY_SCANNER_V4_MANIFEST_CLEANUP	Boolean	When set to `true` the Project Quay garbage collector removes manifests that are not referenced by other tags or manifests. Default: `True`
ROBOTS_DISALLOW	Boolean	When set to `true`, robot accounts are prevented from all interactions, as well as from being created Default: `False`
FEATURE_UI_V2_REPO_SETTINGS	Boolean	When set to `True`, enables repository settings in the Project Quay v2 UI. Default: `False`

Editing the configuration file

To deploy a standalone instance of Project Quay, you must provide the minimal configuration information. The requirements for a minimal configuration can be found in "Project Quay minimal configuration."

After supplying the required fields, you can validate your configuration. If there are any issues, they will be highlighted.

Note	It is possible to use the configuration API to validate the configuration, but this requires starting the Quay container in configuration mode. For more information, see "Using the configuration tool."

For changes to take effect, the registry must be restarted.

Location of configuration file in a standalone deployment

For standalone deployments of Project Quay, the config.yaml file must be specified when starting the Project Quay registry. This file is located in the configuration volume. For example, the configuration file is located at $QUAY/config/config.yaml when deploying Project Quay by the following command:

$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
   --name=quay \
   -v $QUAY/config:/conf/stack:Z \
   -v $QUAY/storage:/datastorage:Z \
   quay.io/projectquay/quay:v3.10.0

Minimal configuration

The following configuration options are required for a standalone deployment of Project Quay:

Server hostname
HTTP or HTTPS
Authentication type, for example, Database or Lightweight Directory Access Protocol (LDAP)
Secret keys for encrypting data
Storage for images
Database for metadata
Redis for build logs and user events
Tag expiration options

Sample minimal configuration file

The following example shows a sample minimal configuration file that uses local storage for images:

AUTHENTICATION_TYPE: Database
BUILDLOGS_REDIS:
    host: quay-server.example.com
    password: strongpassword
    port: 6379
    ssl: false
DATABASE_SECRET_KEY: 0ce4f796-c295-415b-bf9d-b315114704b8
DB_URI: postgresql://quayuser:quaypass@quay-server.example.com:5432/quay
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_CONFIG:
    default:
        - LocalStorage
        - storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default
PREFERRED_URL_SCHEME: http
SECRET_KEY: e8f9fe68-1f84-48a8-a05f-02d72e6eccba
SERVER_HOSTNAME: quay-server.example.com
SETUP_COMPLETE: true
TAG_EXPIRATION_OPTIONS:
    - 0s
    - 1d
    - 1w
    - 2w
    - 4w
USER_EVENTS_REDIS:
    host: quay-server.example.com
    port: 6379
    ssl: false

Note	The `SETUP_COMPLETE` field indicates that the configuration has been validated. You should use the configuration editor tool to validate your configuration before starting the registry.

Local storage

Using local storage for images is only recommended when deploying a registry for proof of concept purposes.

When configuring local storage, storage is specified on the command line when starting the registry. The following command maps a local directory, $QUAY/storage to the datastorage path in the container:

$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
   --name=quay \
   -v $QUAY/config:/conf/stack:Z \
   -v $QUAY/storage:/datastorage:Z \
   quay.io/projectquay/quay:v3.10.0

Cloud storage

Storage configuration is detailed in the Image storage section. For some users, it might be useful to compare the difference between Google Cloud Platform and local storage configurations. For example, the following YAML presents a Google Cloud Platform storage configuration:

$QUAY/config/config.yaml

DISTRIBUTED_STORAGE_CONFIG:
    default:
        - GoogleCloudStorage
        - access_key: GOOGQIMFB3ABCDEFGHIJKLMN
          bucket_name: quay_bucket
          secret_key: FhDAYe2HeuAKfvZCAGyOioNaaRABCDEFGHIJKLMN
          storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default

When starting the registry using cloud storage, no configuration is required on the command line. For example:

$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
   --name=quay \
   -v $QUAY/config:/conf/stack:Z \
   quay.io/projectquay/quay:v3.10.0

Configuration fields

This section describes the both required and optional configuration fields when deploying Project Quay.

Required configuration fields

The fields required to configure Project Quay are covered in the following sections:

General required fields
link::https://access.redhat.com/documentation/en-us/red_hat_quay/3.10/html-single/configure_red_hat_quay/index#config-fields-storage[Storage for images]
Database for metadata
Redis for build logs and user events
Tag expiration options

Automation options

The following sections describe the available automation options for Project Quay deployments:

Pre-configuring Project Quay for automation
Using the API to create the first user

Optional configuration fields

Optional fields for Project Quay can be found in the following sections:

General required fields

The following table describes the required configuration fields for a Project Quay deployment:

Table 2. General required fields
Field	Type	Description
AUTHENTICATION_TYPE (Required)	String	The authentication engine to use for credential authentication. Values: One of `Database`, `LDAP`, `JWT`, `Keystone`, `OIDC` Default: `Database`
PREFERRED_URL_SCHEME (Required)	String	The URL scheme to use when accessing Project Quay. Values: One of `http`, `https` Default: `http`
SERVER_HOSTNAME (Required)	String	The URL at which Project Quay is accessible, without the scheme. Example: `quay-server.example.com`
DATABASE_SECRET_KEY (Required)	String	Key used to encrypt sensitive fields within the database. This value should never be changed once set, otherwise all reliant fields, for example, repository mirror username and password configurations, are invalidated.
SECRET_KEY (Required)	String	Key used to encrypt sensitive fields within the database and at run time. This value should never be changed once set, otherwise all reliant fields, for example, encrypted password credentials, are invalidated.
SETUP_COMPLETE (Required)	Boolean	This is an artefact left over from earlier versions of the software and currently it must be specified with a value of `true`.

Database configuration

This section describes the database configuration fields available for Project Quay deployments.

Database URI

With Project Quay, connection to the database is configured by using the required DB_URI field.

The following table describes the DB_URI configuration field:

Table 3. Database URI
Field	Type	Description
DB_URI (Required)	String	The URI for accessing the database, including any credentials. Example `DB_URI` field: postgresql://quayuser:quaypass@quay-server.example.com:5432/quay

Database connection arguments

Optional connection arguments are configured by the DB_CONNECTION_ARGS parameter. Some of the key-value pairs defined under DB_CONNECTION_ARGS are generic, while others are database specific.

The following table describes database connection arguments:

Table 4. Database connection arguments
Field	Type	Description
DB_CONNECTION_ARGS	Object	Optional connection arguments for the database, such as timeouts and SSL/TLS.
.autorollback	Boolean	Whether to use thread-local connections. Should always be `true`
.threadlocals	Boolean	Whether to use auto-rollback connections. Should always be `true`

PostgreSQL SSL/TLS connection arguments

With SSL/TLS, configuration depends on the database you are deploying. The following example shows a PostgreSQL SSL/TLS configuration:

DB_CONNECTION_ARGS:
  sslmode: verify-ca
  sslrootcert: /path/to/cacert

The sslmode option determines whether, or with, what priority a secure SSL/TLS TCP/IP connection will be negotiated with the server. There are six modes:

Table 5. SSL/TLS options
Mode	Description
disable	Your configuration only tries non-SSL/TLS connections.
allow	Your configuration first tries a non-SSL/TLS connection. Upon failure, tries an SSL/TLS connection.
prefer (Default)	Your configuration first tries an SSL/TLS connection. Upon failure, tries a non-SSL/TLS connection.
require	Your configuration only tries an SSL/TLS connection. If a root CA file is present, it verifies the certificate in the same way as if verify-ca was specified.
verify-ca	Your configuration only tries an SSL/TLS connection, and verifies that the server certificate is issued by a trusted certificate authority (CA).
verify-full	Only tries an SSL/TLS connection, and verifies that the server certificate is issued by a trusted CA and that the requested server hostname matches that in the certificate.

For more information on the valid arguments for PostgreSQL, see Database Connection Control Functions.

MySQL SSL/TLS connection arguments

The following example shows a sample MySQL SSL/TLS configuration:

DB_CONNECTION_ARGS:
  ssl:
    ca: /path/to/cacert

Information on the valid connection arguments for MySQL is available at Connecting to the Server Using URI-Like Strings or Key-Value Pairs.

Image storage

This section details the image storage features and configuration fields that are available with Project Quay.

Image storage features

The following table describes the image storage features for Project Quay:

Table 6. Storage config features
Field	Type	Description
FEATURE_REPO_MIRROR	Boolean	If set to true, enables repository mirroring. Default: `false`
FEATURE_PROXY_STORAGE	Boolean	Whether to proxy all direct download URLs in storage through NGINX. Default: `false`
FEATURE_STORAGE_REPLICATION	Boolean	Whether to automatically replicate between storage engines. Default: `false`

Image storage configuration fields

The following table describes the image storage configuration fields for Project Quay:

Table 7. Storage config fields
Field	Type	Description
DISTRIBUTED_STORAGE_CONFIG (Required)	Object	Configuration for storage engine(s) to use in Project Quay. Each key represents an unique identifier for a storage engine. The value consists of a tuple of (key, value) forming an object describing the storage engine parameters. Default: `[]`
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS (Required)	Array of string	The list of storage engine(s) (by ID in `DISTRIBUTED_STORAGE_CONFIG`) whose images should be fully replicated, by default, to all other storage engines.
DISTRIBUTED_STORAGE_PREFERENCE (Required)	Array of string	The preferred storage engine(s) (by ID in `DISTRIBUTED_STORAGE_CONFIG`) to use. A preferred engine means it is first checked for pulling and images are pushed to it. Default: `false`
MAXIMUM_LAYER_SIZE	String	Maximum allowed size of an image layer. Pattern: `^[0-9]+(G\|M)$` Example: `100G` Default: `20G`

Local storage

The following YAML shows a sample configuration using local storage:

DISTRIBUTED_STORAGE_CONFIG:
  default:
    - LocalStorage
    - storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default

OCS/NooBaa

The following YAML shows a sample configuration using an Open Container Storage/NooBaa instance:

DISTRIBUTED_STORAGE_CONFIG:
  rhocsStorage:
    - RHOCSStorage
    - access_key: access_key_here
      secret_key: secret_key_here
      bucket_name: quay-datastore-9b2108a3-29f5-43f2-a9d5-2872174f9a56
      hostname: s3.openshift-storage.svc.cluster.local
      is_secure: 'true'
      port: '443'
      storage_path: /datastorage/registry

Ceph/RadosGW storage

The following examples show two possible YAML configurations when using Ceph/RadosGW.

Example A: Using RadosGW with the radosGWStorage driver

DISTRIBUTED_STORAGE_CONFIG:
  radosGWStorage:
    - RadosGWStorage
    - access_key: <access_key_here>
      secret_key: <secret_key_here>
      bucket_name: <bucket_name_here>
      hostname: <hostname_here>
      is_secure: true
      port: '443'
      storage_path: /datastorage/registry

Example B: Using RadosGW with general s3 access

DISTRIBUTED_STORAGE_CONFIG:
  s3Storage: (1)
    - RadosGWStorage
    - access_key: <access_key_here>
      bucket_name: <bucket_name_here>
      hostname: <hostname_here>
      is_secure: true
      secret_key: <secret_key_here>
      storage_path: /datastorage/registry

Used for general s3 access. Note that general s3 access is not strictly limited to Amazon Web Services (AWS) 3, and can be used with RadosGW or other storage services. For an example of general s3 access using the AWS S3 driver, see "AWS S3 storage".

AWS S3 storage

The following YAML shows a sample configuration using AWS S3 storage.

DISTRIBUTED_STORAGE_CONFIG:
  default:
    - S3Storage (1)
    - host: s3.us-east-2.amazonaws.com
      s3_access_key: ABCDEFGHIJKLMN
      s3_secret_key: OL3ABCDEFGHIJKLMN
      s3_bucket: quay_bucket
      storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - s3Storage

The S3Storage storage driver should only be used for AWS S3 buckets. Note that this differs from general S3 access, where the RadosGW driver or other storage services can be used. For an example, see "Example B: Using RadosGW with general S3 access".

Google Cloud Storage

The following YAML shows a sample configuration using Google Cloud Storage:

DISTRIBUTED_STORAGE_CONFIG:
    googleCloudStorage:
        - GoogleCloudStorage
        - access_key: GOOGQIMFB3ABCDEFGHIJKLMN
          bucket_name: quay-bucket
          secret_key: FhDAYe2HeuAKfvZCAGyOioNaaRABCDEFGHIJKLMN
          storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - googleCloudStorage

Azure Storage

The following YAML shows a sample configuration using Azure Storage:

DISTRIBUTED_STORAGE_CONFIG:
  azureStorage:
    - AzureStorage
    - azure_account_name: azure_account_name_here
      azure_container: azure_container_here
      storage_path: /datastorage/registry
      azure_account_key: azure_account_key_here
      sas_token: some/path/
      endpoint_url: https://[account-name].blob.core.usgovcloudapi.net (1)
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - azureStorage

The endpoint_url parameter for Azure storage is optional and can be used with Microsoft Azure Government (MAG) endpoints. If left blank, the endpoint_url will connect to the normal Azure region.

As of Project Quay 3.7, you must use the Primary endpoint of your MAG Blob service. Using the Secondary endpoint of your MAG Blob service will result in the following error: AuthenticationErrorDetail:Cannot find the claimed account when trying to GetProperties for the account whusc8-secondary.

Swift storage

The following YAML shows a sample configuration using Swift storage:

DISTRIBUTED_STORAGE_CONFIG:
  swiftStorage:
    - SwiftStorage
    - swift_user: swift_user_here
      swift_password: swift_password_here
      swift_container: swift_container_here
      auth_url: https://example.org/swift/v1/quay
      auth_version: 1
      ca_cert_path: /conf/stack/swift.cert"
      storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - swiftStorage

Nutanix object storage

The following YAML shows a sample configuration using Nutanix object storage.

DISTRIBUTED_STORAGE_CONFIG:
  nutanixStorage: #storage config name
    - RadosGWStorage #actual driver
    - access_key: access_key_here #parameters
      secret_key: secret_key_here
      bucket_name: bucket_name_here
      hostname: hostname_here
      is_secure: 'true'
      port: '443'
      storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE: #must contain name of the storage config
    - nutanixStorage

Redis configuration fields

This section details the configuration fields available for Redis deployments.

Build logs

The following build logs configuration fields are available for Redis deployments:

Table 8. Build logs configuration
Field	Type	Description
BUILDLOGS_REDIS (Required)	Object	Redis connection details for build logs caching.
.host (Required)	String	The hostname at which Redis is accessible. Example: `quay-server.example.com`
.port (Required)	Number	The port at which Redis is accessible. Example: `6379`
.password	String	The password to connect to the Redis instance. Example: `strongpassword`
.ssl (Optional)	Boolean	Whether to enable TLS communication between Redis and Quay. Defaults to false.

User events

The following user event fields are available for Redis deployments:

Table 9. User events config
Field	Type	Description
USER_EVENTS_REDIS (Required)	Object	Redis connection details for user event handling.
.host (Required)	String	The hostname at which Redis is accessible. Example: `quay-server.example.com`
.port (Required)	Number	The port at which Redis is accessible. Example: `6379`
.password	String	The password to connect to the Redis instance. Example: `strongpassword`
.ssl	Boolean	Whether to enable TLS communication between Redis and Quay. Defaults to false.
.ssl_keyfile (Optional)	String	The name of the key database file, which houses the client certificate to be used. Example: `ssl_keyfile: /path/to/server/privatekey.pem`
.ssl_certfile (Optional)	String	Used for specifying the file path of the SSL certificate. Example: `ssl_certfile: /path/to/server/certificate.pem`
.ssl_cert_reqs (Optional)	String	Used to specify the level of certificate validation to be performed during the SSL/TLS handshake. Example: `ssl_cert_reqs: CERT_REQUIRED`
.ssl_ca_certs (Optional)	String	Used to specify the path to a file containing a list of trusted Certificate Authority (CA) certificates. Example: `ssl_ca_certs: /path/to/ca_certs.pem`
.ssl_ca_data (Optional)	String	Used to specify a string containing the trusted CA certificates in PEM format. Example: `ssl_ca_data: <certificate>`
.ssl_check_hostname (Optional)	Boolean	Used when setting up an SSL/TLS connection to a server. It specifies whether the client should check that the hostname in the server’s SSL/TLS certificate matches the hostname of the server it is connecting to. Example: `ssl_check_hostname: true`

Example Redis configuration

The following YAML shows a sample configuration using Redis with optional SSL/TLS fields:

BUILDLOGS_REDIS:
  host: quay-server.example.com
  password: strongpassword
  port: 6379
  ssl: true


USER_EVENTS_REDIS:
  host: quay-server.example.com
  password: strongpassword
  port: 6379
  ssl: true
  ssl_*: <path_location_or_certificate>

Note	If your deployment uses Azure Cache for Redis and `ssl` is set to `true`, the port defaults to `6380`.

ModelCache configuration options

The following options are available on Project Quay for configuring ModelCache.

Memcache configuration option

Memcache is the default ModelCache configuration option. With Memcache, no additional configuration is necessary.

Single Redis configuration option

The following configuration is for a single Redis instance with optional read-only replicas:

    DATA_MODEL_CACHE_CONFIG:
      engine: redis
      redis_config:
        primary:
            host: <host>
            port: <port>
            password: <password if ssl is true>
           ssl: <true | false >
        replica:
            host: <host>
            port: <port>
            password: <password if ssl is true>
           ssl: <true | false >

Clustered Redis configuration option

Use the following configuration for a clustered Redis instance:

    DATA_MODEL_CACHE_CONFIG:
      engine: rediscluster
      redis_config:
        startup_nodes:
          - host: <cluster-host>
            port: <port>
        password: <password if ssl: true>
        read_from_replicas: <true|false>
        skip_full_coverage_check: <true | false>
        ssl: <true | false >

Tag expiration configuration fields

The following tag expiration configuration fields are available with Project Quay:

Table 10. Tag expiration configuration fields
Field	Type	Description
FEATURE_GARBAGE_COLLECTION	Boolean	Whether garbage collection of repositories is enabled. Default: True
TAG_EXPIRATION_OPTIONS (Required)	Array of string	If enabled, the options that users can select for expiration of tags in their namespace. Pattern: `^[0-9]+(w\|m\|d\|h\|s)$`
DEFAULT_TAG_EXPIRATION (Required)	String	The default, configurable tag expiration time for time machine. Pattern: `^[0-9]+(w\|m\|d\|h\|s)$` Default: `2w`
FEATURE_CHANGE_TAG_EXPIRATION	Boolean	Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Default: True
FEATURE_AUTO_PRUNE	Boolean	When set to `True`, enables functionality related to the auto-pruning of tags. Default: `False`

Example tag expiration configuration

The following YAML shows a sample tag expiration configuration:

DEFAULT_TAG_EXPIRATION: 2w
TAG_EXPIRATION_OPTIONS:
    - 0s
    - 1d
    - 1w
    - 2w
    - 4w

Quota management configuration fields

Table 11. Quota management configuration
Field	Type	Description
FEATURE_QUOTA_MANAGEMENT	Boolean	Enables configuration, caching, and validation for quota management feature. Default: `False`
DEFAULT_SYSTEM_REJECT_QUOTA_BYTES	String	Enables system default quota reject byte allowance for all organizations. By default, no limit is set.
QUOTA_BACKFILL	Boolean	Enables the quota backfill worker to calculate the size of pre-existing blobs. Default: `True`
QUOTA_TOTAL_DELAY_SECONDS	String	The time delay for starting the quota backfill. Rolling deployments can cause incorrect totals. This field must be set to a time longer than it takes for the rolling deployment to complete. Default: `1800`
PERMANENTLY_DELETE_TAGS	Boolean	Enables functionality related to the removal of tags from the time machine window. Default: `False`
RESET_CHILD_MANIFEST_EXPIRATION	Boolean	Resets the expirations of temporary tags targeting the child manifests. With this feature set to `True`, child manifests are immediately garbage collected. Default: `False`

Example quota management configuration

The following YAML is the suggested configuration when enabling quota management.

Quota management YAML configuration

FEATURE_QUOTA_MANAGEMENT: true
FEATURE_GARBAGE_COLLECTION: true
PERMANENTLY_DELETE_TAGS: true
QUOTA_TOTAL_DELAY_SECONDS: 1800
RESET_CHILD_MANIFEST_EXPIRATION: true

Proxy cache configuration fields

Table 12. Proxy configuration
Field	Type	Description
FEATURE_PROXY_CACHE	Boolean	Enables Project Quay to act as a pull through cache for upstream registries. Default: `false`

Robot account configuration fields

Table 13. Robot account configuration fields
Field	Type	Description
ROBOTS_DISALLOW	Boolean	When set to `true`, robot accounts are prevented from all interactions, as well as from being created Default: `False`

Pre-configuring Project Quay for automation

Project Quay supports several configuration options that enable automation. Users can configure these options before deployment to reduce the need for interaction with the user interface.

Allowing the API to create the first user

To create the first user, users need to set the FEATURE_USER_INITIALIZE parameter to true and call the /api/v1/user/initialize API. Unlike all other registry API calls that require an OAuth token generated by an OAuth application in an existing organization, the API endpoint does not require authentication.

Users can use the API to create a user such as quayadmin after deploying Project Quay, provided no other users have been created. For more information, see Using the API to create the first user.

Enabling general API access

Users should set the BROWSER_API_CALLS_XHR_ONLY config option to false to allow general access to the Project Quay registry API.

Adding a superuser

After deploying Project Quay, users can create a user and give the first user administrator privileges with full permissions. Users can configure full permissions in advance by using the SUPER_USER configuration object. For example:

...
SERVER_HOSTNAME: quay-server.example.com
SETUP_COMPLETE: true
SUPER_USERS:
  - quayadmin
...

Restricting user creation

After you have configured a superuser, you can restrict the ability to create new users to the superuser group by setting the FEATURE_USER_CREATION to false. For example:

...
FEATURE_USER_INITIALIZE: true
BROWSER_API_CALLS_XHR_ONLY: false
SUPER_USERS:
- quayadmin
FEATURE_USER_CREATION: false
...

Enabling new functionality in Project Quay 3.10

To use new Project Quay 3.8 functions, enable some or all of the following features:

FEATURE_UI_V2: true
FEATURE_UI_V2_REPO_SETTINGS: true
FEATURE_AUTO_PRUNE: true
ROBOTS_DISALLOW: false

Suggested configuration for automation

The following config.yaml parameters are suggested for automation:

...
FEATURE_USER_INITIALIZE: true
BROWSER_API_CALLS_XHR_ONLY: false
SUPER_USERS:
- quayadmin
FEATURE_USER_CREATION: false
...

Deploying the Project Quay Operator using the initial configuration

Use the following procedure to deploy Project Quay on OpenShift Container Platform using the initial configuration.

Prerequisites

You have installed the oc CLI.

Procedure

Create a secret using the configuration file:

$ oc create secret generic -n quay-enterprise --from-file config.yaml=./config.yaml init-config-bundle-secret

Create a quayregistry.yaml file. Identify the unmanaged components and reference the created secret, for example:

apiVersion: quay.redhat.com/v1
kind: QuayRegistry
metadata:
  name: example-registry
  namespace: quay-enterprise
spec:
  configBundleSecret: init-config-bundle-secret

Deploy the Project Quay registry:

$ oc create -n quay-enterprise -f quayregistry.yaml

Next Steps

Using the API to create the first user

Using the API to create the first user

Use the following procedure to create the first user in your Project Quay organization.

Prerequisites

The config option FEATURE_USER_INITIALIZE must be set to true.
No users can already exist in the database.

Note	Procedure This procedure requests an OAuth token by specifying `"access_token": true`.

As the root user, install python39 by entering the following command:
```
$ sudo yum install python39
```
Upgrade the pip package manager for Python 3.9:
```
$ python3.9 -m pip install --upgrade pip
```
Use the pip package manager to install the bcrypt package:
```
$ pip install bcrypt
```
Generate a secure, hashed password using the bcrypt package in Python 3.9 by entering the following command:
```
$ python3.9 -c 'import bcrypt; print(bcrypt.hashpw(b"subquay12345", bcrypt.gensalt(12)).decode("utf-8"))'
```
Open your Project Quay configuration file and update the following configuration fields:
```
FEATURE_USER_INITIALIZE: true
SUPER_USERS:
     -  quayadmin
```
Stop the Project Quay service by entering the following command:
```
$ sudo podman stop quay
```

Start the Project Quay service by entering the following command:

$ sudo podman run -d -p 80:8080 -p 443:8443 --name=quay -v $QUAY/config:/conf/stack:Z  -v $QUAY/storage:/datastorage:Z {productrepo}/{quayimage}:{productminv}

Run the following CURL command to generate a new user with a username, password, email, and access token:

$ curl -X POST -k  http://quay-server.example.com/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayadmin", "password":"quaypass12345", "email": "quayadmin@example.com", "access_token": true}'

If successful, the command returns an object with the username, email, and encrypted password. For example:

{"access_token":"6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED", "email":"quayadmin@example.com","encrypted_password":"1nZMLH57RIE5UGdL/yYpDOHLqiNCgimb6W9kfF8MjZ1xrfDpRyRs9NUnUuNuAitW","username":"quayadmin"} # gitleaks:allow

If a user already exists in the database, an error is returned:

{"message":"Cannot initialize user in a non-empty database"}

If your password is not at least eight characters or contains whitespace, an error is returned:

{"message":"Failed to initialize user: Invalid password, password must be at least 8 characters and contain no whitespace."}

$ sudo podman login -u quayadmin -p quaypass12345 http://quay-server.example.com --tls-verify=false

Example output

Login Succeeded!

Using the OAuth token

After invoking the API, you can call out the rest of the Project Quay API by specifying the returned OAuth code.

Prerequisites

You have invoked the /api/v1/user/initialize API, and passed in the username, password, and email address.

Procedure

Obtain the list of current users by entering the following command:

$ curl -X GET -k -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/superuser/users/

Example output:

{
    "users": [
        {
            "kind": "user",
            "name": "quayadmin",
            "username": "quayadmin",
            "email": "quayadmin@example.com",
            "verified": true,
            "avatar": {
                "name": "quayadmin",
                "hash": "3e82e9cbf62d25dec0ed1b4c66ca7c5d47ab9f1f271958298dea856fb26adc4c",
                "color": "#e7ba52",
                "kind": "user"
            },
            "super_user": true,
            "enabled": true
        }
    ]
}

In this instance, the details for the quayadmin user are returned as it is the only user that has been created so far.

Using the API to create an organization

The following procedure details how to use the API to create a Project Quay organization.

Prerequisites

You have invoked the /api/v1/user/initialize API, and passed in the username, password, and email address.
You have called out the rest of the Project Quay API by specifying the returned OAuth code.

Procedure

To create an organization, use a POST call to api/v1/organization/ endpoint:

$ curl -X POST -k --header 'Content-Type: application/json' -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/organization/ --data '{"name": "testorg", "email": "testorg@example.com"}'

Example output:

"Created"

You can retrieve the details of the organization you created by entering the following command:

$ curl -X GET -k --header 'Content-Type: application/json' -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://min-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/organization/testorg

Example output:

{
    "name": "testorg",
    "email": "testorg@example.com",
    "avatar": {
        "name": "testorg",
        "hash": "5f113632ad532fc78215c9258a4fb60606d1fa386c91b141116a1317bf9c53c8",
        "color": "#a55194",
        "kind": "user"
    },
    "is_admin": true,
    "is_member": true,
    "teams": {
        "owners": {
            "name": "owners",
            "description": "",
            "role": "admin",
            "avatar": {
                "name": "owners",
                "hash": "6f0e3a8c0eb46e8834b43b03374ece43a030621d92a7437beb48f871e90f8d90",
                "color": "#c7c7c7",
                "kind": "team"
            },
            "can_view": true,
            "repo_count": 0,
            "member_count": 1,
            "is_synced": false
        }
    },
    "ordered_teams": [
        "owners"
    ],
    "invoice_email": false,
    "invoice_email_address": null,
    "tag_expiration_s": 1209600,
    "is_free_account": true
}

Basic configuration fields

Table 14. Basic configuration
Field	Type	Description
REGISTRY_TITLE	String	If specified, the long-form title for the registry. Displayed in frontend of your Project Quay deployment, for example, at the sign in page of your organization. Should not exceed 35 characters. Default: `Red Hat Quay`
REGISTRY_TITLE_SHORT	String	If specified, the short-form title for the registry. Title is displayed on various pages of your organization, for example, as the title of the tutorial on your organization’s Tutorial page. Default: `Red Hat Quay`
CONTACT_INFO	Array of String	If specified, contact information to display on the contact page. If only a single piece of contact information is specified, the contact footer will link directly.
[0]	String	Adds a link to send an e-mail. Pattern: `^mailto:(.)+$` Example: `mailto:support@quay.io`
[1]	String	Adds a link to visit an IRC chat room. Pattern: `^irc://(.)+$` Example: `irc://chat.freenode.net:6665/quay`
[2]	String	Adds a link to call a phone number. Pattern: `^tel:(.)+$` Example: `tel:+1-888-930-3475`
[3]	String	Adds a link to a defined URL. Pattern: `^http(s)?://(.)+$` Example: `https://twitter.com/quayio`

SSL configuration fields

Table 15. SSL configuration
Field	Type	Description
PREFERRED_URL_SCHEME	String	One of `http` or `https`. Note that users only set their `PREFERRED_URL_SCHEME` to `http` when there is no TLS encryption in the communication path from the client to Quay. Users must set their PREFERRED_URL_SCHEME`to `https when using a TLS-terminating load balancer, a reverse proxy (for example, Nginx), or when using Quay with custom SSL certificates directly. In most cases, the `PREFERRED_URL_SCHEME` should be `https`. Default: `http`
SERVER_HOSTNAME (Required)	String	The URL at which Project Quay is accessible, without the scheme Example: `quay-server.example.com`
SSL_CIPHERS	Array of String	If specified, the nginx-defined list of SSL ciphers to enabled and disabled Example: [`ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `DHE-RSA-AES128-GCM-SHA256`, `DHE-DSS-AES128-GCM-SHA256`, `kEDH+AESGCM`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA`, `ECDHE-ECDSA-AES256-SHA`, `DHE-RSA-AES128-SHA256`, `DHE-RSA-AES128-SHA`, `DHE-DSS-AES128-SHA256`, `DHE-RSA-AES256-SHA256`, `DHE-DSS-AES256-SHA`, `DHE-DSS-AES256-SHA`, `AES128-GCM-SHA256`, `AES256-GCM-SHA384`, `AES128-SHA256`, `AES256-SHA256`, `AES128-SHA`, `AES256-SHA`, `AES`, `!3DES"`, `!aNULL`, `!eNULL`, `!EXPORT`, `DES`, `!RC4`, `MD5`, `!PSK`, `!aECDH`, `!EDH-DSS-DES-CBC3-SHA`, `!EDH-RSA-DES-CBC3-SHA`, `!KRB5-DES-CBC3-SHA`]
SSL_PROTOCOLS	Array of String	If specified, nginx is configured to enabled a list of SSL protocols defined in the list. Removing an SSL protocol from the list disables the protocol during Project Quay startup. Example: ['TLSv1','TLSv1.1','TLSv1.2', `TLSv1.3]`
SESSION_COOKIE_SECURE	Boolean	Whether the `secure` property should be set on session cookies Default: False Recommendation: Set to True for all installations using SSL

Configuring SSL

Copy the certificate file and primary key file to your configuration directory, ensuring they are named ssl.cert and ssl.key respectively:
```
$ cp ~/ssl.cert $QUAY/config
$ cp ~/ssl.key $QUAY/config
$ cd $QUAY/config
```

Edit the config.yaml file and specify that you want Quay to handle TLS:

config.yaml

...
SERVER_HOSTNAME: quay-server.example.com
...
PREFERRED_URL_SCHEME: https
...

Stop the Quay container and restart the registry

Adding TLS Certificates to the Project Quay Container

To add custom TLS certificates to Project Quay, create a new directory named extra_ca_certs/ beneath the Project Quay config directory. Copy any required site-specific TLS certificates to this new directory.

Add TLS certificates to Project Quay

View certificate to be added to the container

$ cat storage.crt
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
[...]
-----END CERTIFICATE-----

Create certs directory and copy certificate there

$ mkdir -p quay/config/extra_ca_certs
$ cp storage.crt quay/config/extra_ca_certs/
$ tree quay/config/
├── config.yaml
├── extra_ca_certs
│   ├── storage.crt

Obtain the Quay container’s CONTAINER ID with podman ps:

$ sudo podman ps
CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS              PORTS
5a3e82c4a75f        <registry>/<repo>/quay:v3.10.0 "/sbin/my_init"          24 hours ago        Up 18 hours         0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 443/tcp   grave_keller

Restart the container with that ID:
```
$ sudo podman restart 5a3e82c4a75f
```

Examine the certificate copied into the container namespace:

$ sudo podman exec -it 5a3e82c4a75f cat /etc/ssl/certs/storage.pem
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV

LDAP configuration fields

Table 16. LDAP configuration
Field	Type	Description
AUTHENTICATION_TYPE (Required)	String	Must be set to `LDAP`.
FEATURE_TEAM_SYNCING	Boolean	Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone). Default: `true`
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP	Boolean	If enabled, non-superusers can setup syncing on teams using LDAP. Default: `false`
LDAP_ADMIN_DN	String	The admin DN for LDAP authentication.
LDAP_ADMIN_PASSWD	String	The admin password for LDAP authentication.
LDAP_ALLOW_INSECURE_FALLBACK	Boolean	Whether or not to allow SSL insecure fallback for LDAP authentication.
LDAP_BASE_DN	Array of String	The base DN for LDAP authentication.
LDAP_EMAIL_ATTR	String	The email attribute for LDAP authentication.
LDAP_UID_ATTR	String	The uid attribute for LDAP authentication.
LDAP_URI	String	The LDAP URI.
LDAP_USER_FILTER	String	The user filter for LDAP authentication.
LDAP_USER_RDN	Array of String	The user RDN for LDAP authentication.
TEAM_RESYNC_STALE_TIME	String	If team syncing is enabled for a team, how often to check its membership and resync if necessary. Pattern: `^[0-9]+(w\|m\|d\|h\|s)$` Example: `2h` Default: `30m`
LDAP_SUPERUSER_FILTER	String	Subset of the `LDAP_USER_FILTER` configuration field. When configured, allows Project Quay administrators the ability to configure Lightweight Directory Access Protocol (LDAP) users as superusers when Project Quay uses LDAP as its authentication provider. With this field, administrators can add or remove superusers without having to update the Project Quay configuration file and restart their deployment. This field requires that your `AUTHENTICATION_TYPE` is set to `LDAP`.
LDAP_RESTRICTED_USER_FILTER	String	Subset of the `LDAP_USER_FILTER` configuration field. When configured, allows Project Quay administrators the ability to configure Lightweight Directory Access Protocol (LDAP) users as restricted users when Project Quay uses LDAP as its authentication provider. This field requires that your `AUTHENTICATION_TYPE` is set to `LDAP`.
LDAP_TIMEOUT	Integer	Determines the maximum time period. in seconds, allowed for establishing a connection to the Lightweight Directory Access Protocol (LDAP) server. Default: `10`
LDAP_NETWORK_TIMEOUT	Integer	Defines the maximum time duration, in seconds, that Project Quay waits for a response from the Lightweight Directory Access Protocol (LDAP) server during network operations. Default: `10`

LDAP configuration references

Use the following references to update your config.yaml file with the desired configuration field.

Basic LDAP configuration

---
AUTHENTICATION_TYPE: LDAP
---
LDAP_ADMIN_DN: uid=<name>,ou=Users,o=<organization_id>,dc=<example_domain_component>,dc=com
LDAP_ADMIN_PASSWD: ABC123
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_BASE_DN:
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldaps://<ldap_url_domain_name>
LDAP_USER_FILTER: (memberof=cn=developers,ou=Users,dc=<domain_name>,dc=com)
LDAP_USER_RDN:
    - ou=<example_organization_unit>
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com

LDAP restricted user configuration

---
AUTHENTICATION_TYPE: LDAP
---
LDAP_ADMIN_DN: uid=<name>,ou=Users,o=<organization_id>,dc=<example_domain_component>,dc=com
LDAP_ADMIN_PASSWD: ABC123
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_BASE_DN:
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldap://<example_url>.com
LDAP_USER_FILTER: (memberof=cn=developers,ou=Users,o=<example_organization_unit>,dc=<example_domain_component>,dc=com)
LDAP_RESTRICTED_USER_FILTER: (<filterField>=<value>)
LDAP_USER_RDN:
    - ou=<example_organization_unit>
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com
---

LDAP superuser configuration reference

---
AUTHENTICATION_TYPE: LDAP
---
LDAP_ADMIN_DN: uid=<name>,ou=Users,o=<organization_id>,dc=<example_domain_component>,dc=com
LDAP_ADMIN_PASSWD: ABC123
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_BASE_DN:
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldap://<example_url>.com
LDAP_USER_FILTER: (memberof=cn=developers,ou=Users,o=<example_organization_unit>,dc=<example_domain_component>,dc=com)
LDAP_SUPERUSER_FILTER: (<filterField>=<value>)
LDAP_USER_RDN:
    - ou=<example_organization_unit>
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com

Mirroring configuration fields

Table 17. Mirroring configuration
Field	Type	Description
FEATURE_REPO_MIRROR	Boolean	Enable or disable repository mirroring Default: `false`
REPO_MIRROR_INTERVAL	Number	The number of seconds between checking for repository mirror candidates Default: 30
REPO_MIRROR_SERVER_HOSTNAME	String	Replaces the `SERVER_HOSTNAME` as the destination for mirroring. Default: None Example: `openshift-quay-service`
REPO_MIRROR_TLS_VERIFY	Boolean	Require HTTPS and verify certificates of Quay registry during mirror. Default: `false`
REPO_MIRROR_ROLLBACK	Boolean	When set to `true`, the repository rolls back after a failed mirror attempt. Default: `false`

Security scanner configuration fields

Table 18. Security scanner configuration
Field	Type	Description
FEATURE_SECURITY_SCANNER	Boolean	Enable or disable the security scanner Default: `false`
FEATURE_SECURITY_NOTIFICATIONS	Boolean	If the security scanner is enabled, turn on or turn off security notifications Default: `false`
SECURITY_SCANNER_V4_REINDEX_THRESHOLD	String	This parameter is used to determine the minimum time, in seconds, to wait before re-indexing a manifest that has either previously failed or has changed states since the last indexing. The data is calculated from the `last_indexed datetime` in the manifestsecuritystatus table. This parameter is used to avoid trying to re-index every failed manifest on every indexing run. The default time to re-index is 300 seconds.
SECURITY_SCANNER_V4_ENDPOINT	String	The endpoint for the V4 security scanner Pattern: `^http(s)?://(.)+$` Example: `http://192.168.99.101:6060`
SECURITY_SCANNER_V4_PSK	String	The generated pre-shared key (PSK) for Clair
SECURITY_SCANNER_ENDPOINT	String	The endpoint for the V2 security scanner Pattern: `^http(s)?://(.)+$` Example: `http://192.168.99.100:6060`
SECURITY_SCANNER_INDEXING_INTERVAL	Integer	This parameter is used to determine the number of seconds between indexing intervals in the security scanner. When indexing is triggered, Project Quay will query its database for manifests that must be indexed by Clair. These include manifests that have not yet been indexed and manifests that previously failed indexing. Default: 30
FEATURE_SECURITY_SCANNER_NOTIFY_ON_NEW_INDEX	Boolean	Whether to allow sending notifications about vulnerabilities for new pushes. Default: `True`
SECURITY_SCANNER_V4_MANIFEST_CLEANUP	Boolean	Whether the Project Quay garbage collector removes manifests that are not referenced by other tags or manifests. Default*: `True`

Re-indexing with Clair v4

When Clair v4 indexes a manifest, the result should be deterministic. For example, the same manifest should produce the same index report. This is true until the scanners are changed, as using different scanners will produce different information relating to a specific manifest to be returned in the report. Because of this, Clair v4 exposes a state representation of the indexing engine (/indexer/api/v1/index_state) to determine whether the scanner configuration has been changed.

Project Quay leverages this index state by saving it to the index report when parsing to Quay’s database. If this state has changed since the manifest was previously scanned, Project Quay will attempt to re-index that manifest during the periodic indexing process.

By default this parameter is set to 30 seconds. Users might decrease the time if they want the indexing process to run more frequently, for example, if they did not want to wait 30 seconds to see security scan results in the UI after pushing a new tag. Users can also change the parameter if they want more control over the request pattern to Clair and the pattern of database operations being performed on the Project Quay database.

Example security scanner configuration

The following YAML is the suggested configuration when enabling the security scanner feature.

Security scanner YAML configuration

FEATURE_SECURITY_NOTIFICATIONS: true
FEATURE_SECURITY_SCANNER: true
FEATURE_SECURITY_SCANNER_NOTIFY_ON_NEW_INDEX: true
...
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_MANIFEST_CLEANUP: true
SECURITY_SCANNER_V4_ENDPOINT: http://quay-server.example.com:8081
SECURITY_SCANNER_V4_PSK: MTU5YzA4Y2ZkNzJoMQ==
SERVER_HOSTNAME: quay-server.example.com
...

Helm configuration fields

Table 19. Helm configuration fields
Field	Type	Description
FEATURE_GENERAL_OCI_SUPPORT	Boolean	Enable support for OCI artifacts. Default: True

The following Open Container Initiative (OCI) artifact types are built into Project Quay by default and are enabled through the FEATURE_GENERAL_OCI_SUPPORT configuration field:

Field Media Type Supported content types

Field	Media Type	Supported content types
Helm	`application/vnd.cncf.helm.config.v1+json`	`application/tar+gzip`, `application/vnd.cncf.helm.chart.content.v1.tar+gzip`
Cosign	`application/vnd.oci.image.config.v1+json`	`application/vnd.dev.cosign.simplesigning.v1+json`, `application/vnd.dsse.envelope.v1+json`
SPDX	`application/vnd.oci.image.config.v1+json`	`text/spdx`, `text/spdx+xml`, `text/spdx+json`
Syft	`application/vnd.oci.image.config.v1+json`	`application/vnd.syft+json`
CycloneDX	`application/vnd.oci.image.config.v1+json`	`application/vnd.cyclonedx`, `application/vnd.cyclonedx+xml`, `application/vnd.cyclonedx+json`
In-toto	`application/vnd.oci.image.config.v1+json`	`application/vnd.in-toto+json`
Unknown	`application/vnd.cncf.openpolicyagent.policy.layer.v1+rego`	`application/vnd.cncf.openpolicyagent.policy.layer.v1+rego`, `application/vnd.cncf.openpolicyagent.data.layer.v1+json`

Helm

application/vnd.cncf.helm.config.v1+json

application/tar+gzip, application/vnd.cncf.helm.chart.content.v1.tar+gzip

Cosign